The GDPR – A Clarity perspective

Published on the 13-09-17

As you may have heard, the Data Protection Act 1998 (DPA) – which currently governs the collection, storage and handling of personal data in the UK – will be replaced from 25th May 2018 with the General Data Protection Regulation (GDPR).

Lauded as the ‘biggest change to data protection law in a generation’, the GDPR has attracted a lot of attention recently – particularly due to the rather large sums that companies could be fined for non-compliance. Bear in mind that while the rules are more rigorous for the treatment of individuals’ data, if you have both business and private customers, the safest option is to update your policies and procedures in line with the regulation for individuals’ data. There are other changes on the horizon if you market your products or services to business customers only, and these changes will also be based on the GDPR, so it’s a good idea to be aware of what it requires.

We’ve received a few enquiries around the role of Clarity Software in light of the GDPR, so we’ve created this guide. Please note that the GDPR is a complex beast so we won’t be attempting to explain it all here, but the ICO (Information Commissioners Office) has plenty of information to help you prepare. The information in our guide does not constitute legal advice and if you are collecting, storing or processing personal data i.e. data which could identify a living individual either on its own, or together with other data which is easily accessible to you, you should seek specialised legal advice about how the GDPR may apply to your business.

Consent

Consent has always been an important part of the DPA, but the GDPR sets the bar even higher. As the ICO states: ‘Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.’ Under the GDPR, consent to data processing should be:

Specific: individuals must be told of each processing operation they are agreeing to;

Freely-given: agreement to a contract cannot be contingent upon consent to the processing of an individual’s personal data, unless the processing is necessary to fulfil that contract;

Informed: the individual must be told about what will be done with their data e.g. if it will be transferred to anyone else; and

Unambiguous: explaining what processing operations you carry out must be in simple language, and take account of the person’s age and level of understanding.

While you don’t need to request consent to process data in relation to any contract you have with your customers, such as when providing goods or services to them, you do need consent from individuals if you’re planning to send them marketing materials – either through the mail or over email.

The biggest change is that consent to direct marketing now requires a positive opt-in. That means you absolutely can’t use pre-ticked boxes or any other method of consent which is automatic. You must provide a very clear, granular, specific description of how data will be used, not bury it in other terms and conditions and the user must perform an affirmative action to give their consent.

It’s a good idea to review the way you capture customer details currently and look into rewriting any consent forms you use in order to take account of the new regulatory requirements. Also, the GDPR requires that consent be as easy to withdraw as it is to give – this means that you must allow your customers the opportunity to opt-out at any time after they first consented e.g. through a link at the bottom of every marketing email you send them. However, under the GDPR it is not enough that you comply with its requirements – you must document the ways in which you are complying with them, in case the ICO ever asks you to demonstrate that you have done so. This is known as the ‘accountability principle’. This means that you must maintain records of the technical and organisational measures which your business is taking in order to meet the high standards imposed by the GDPR.

Clarity and consent

In email templates created through Clarity Go, there’s a mandatory ‘unsubscribe’ option which allows your customers to unsubscribe from future marketing. In the lead up to May 2018 we will look into making the unsubscribe options presented to your customers clearer, more specific and granular.

Later (in the ‘Documentation you must have’) section we look at customised fields you might want to add to your contact cards in Clarity to capture exactly how you obtained the personal data you hold, and what consent mechanism was used at the time. This will help you comply with the accountability principle.

Data portability

The idea behind data portability is to make sure individuals have the ability to transfer their personal data from one controller to another in a commonly-used electronic format. The ICO is intending to release more details around data portability requirements later this year, and we will update you when we know more.

Clarity and data portability

Your customers’ details that are stored in Clarity can easily be transferred between computer systems as CSV files. CSV is a structured, commonly used, machine-readable file type and therefore is likely to adhere to the requirements of the GDPR.

Customer requests for data

Much like the DPA, the GDPR includes a so-called ‘right of access.’ In brief, this means that if a customer asks for a copy of all the personal data which you hold about them (or any part of it), you must give it to them – within a month. Prior to the GDPR, the time limit has been 40 days. The GDPR has also done away with the £10 fee which companies were permitted to charge under the DPA. From 25 May 2018, you will only be able to ask customers to pay a fee where their request is manifestly unfounded, excessive or where the individual asks for multiple copies of the same data. Even then, the fees you charge must be based on the actual administrative costs of providing the information, and will likely be subject to certain limits.

Clarity and requests for data

To capture the details of a contact in Clarity Pro:

Navigate to ‘Reports’

Click the ‘Contacts’ folder on the left-hand side

Double click ‘Contact Print’ and enter the company name you wish to print the details for and click ‘OK’ Click ‘Contact Print’

Print or save the document as required Search for the company by name, then save the document to either post or email to your customer.

In Clarity Go:

Hover over the contacts menu and select ‘List Builder’

On the main part of the screen click the ‘Add or remove individual contacts’ option

Click the green ‘+’ under the ‘Always include the following contacts’

Type the name of the required contact and click on their name

Click on the update button, one contact should be found

Click on the grid option, once displayed you now have the option to Export, this will download the .CSV file direct to the machine you are on. The file will display at the bottom of the screen and is also located in the downloads folder.

If a customer requires copies of all activities and quotes, we can help you extract these, provided that we have enough notice. If you receive this kind of request, just call support on +44 (0)121 248 2448 as soon as possible, and we will do our best to help you.

Right to be forgotten

If a customer asks for their data to be deleted, you need to have a procedure in place to do so. You must make sure that any copies of their data are deleted and that you ask any third parties to whom you have supplied the data to also delete it, to the extent reasonably possible. If a customer retracts their consent, they may also ask for you to delete their details.

The right to be forgotten is not unconditional. If there are reasons for you to retain customer data (in the case of a warranty for example) you may not have to comply.

Clarity and the right to be forgotten

How to delete a contact in Clarity Pro:

Open the contact card for the contact you wish to delete, if this is the main contact you will first need to make another contact the main contact for that company.

To make a contact the main contact open their contact card and change the type (far right) to ‘Main’).

Now return to the contact you wish to delete.

Using the Contacts menu at the top of the screen select ‘Delete contact’. The system will now check if this contact has any data, Activities, Quotes etc. If they do the system will ask you to either move this data to another contact or delete all (there is no way to retrieve this data if it is deleted).

Once you have chosen the option click ‘OK’ and ‘Yes’ to confirm. If the contact doesn’t have any data you will simply need to confirm you are happy to delete them.

Please note, if you want to delete a contact and they are the only contact within the company you will have to choose the ‘Delete Company’ option from the contacts menu at the top of the screen, this will again prompt to move the data if there is any present, choose the desired option and click OK then Yes to confirm. The data will be lost if you delete it.

How to delete a contact in Clarity Go:

If you have Clarity Pro and Clarity Go and they are synced, simply follow the steps above, this will also remove the contact from Clarity Go.

If you only have Clarity Go:

Using the contacts module locate the contact you wish to delete.

With their contact card open, choose the ‘Edit’ option against the contact, not the one against the company.

You should now see a ‘Dormant’ option – click this and click the ‘Dormant Contact’ option.

Click ‘Edit’ again, you now have the ability to delete the contact.

Click ‘Delete Forever’.

The system will prompt to move the data to another contact, you have to do this as clicking cancel will stop the deletion process.

Documentation you must have

Maintaining accurate, up-to-date records is a key element of the GDPR.

The accountability principle dictates that you should document what personal data you hold, where it came from and who you share it with as well as records of all processing activities. You must also keep evidence of consent – who, when, how, and what you told people.

Clarity and documentation you must have

Clarity can be a highly useful tool in documenting the required detail about the data you hold. You can add customised fields to your contact cards such as how you obtained data (a form on your website for example) as well as exactly when and how you obtained consent. Just make sure that you document exactly the language used when gaining consent. You can do this by numbering your consent versions and capturing the version number in a customised field.

We will be looking into adding these fields to Clarity as standard, but if you’d like to get ahead of the curve, see ‘How to create customised fields’ below. We will also be looking into introducing a more comprehensive event log to capture any changes you make to your customers’ data.

How to create customised fields:

In Clarity Pro:

Open the Clarity Server Administrator, select ‘Manage’ and login

Click on the ‘User Fields’ tab, once the tab is displayed make sure the ‘Contacts’ option is selected

Type the name of the new field, select the type of field and add options if required

Save the changes and restart Clarity, the new field will now be visible on the contact card

In Clarity Go:

Open any contact card and choose the Edit option against the contact

Scroll to the bottom of the page and Click on the ‘Create a New User Field’ option, type the name of the new field and select the type, click OK when you have finished

This new field will be available in the field picker list if you wish to see it against contacts

Procedures for a data breach

Under the GDPR, you must report a data breach to the relevant authority within 72 hours of discovering the breach. Failure to notify a breach can result in a significant fine up to 10 million Euros or 2% of your global turnover.

Clarity and the security of your data

Data kept in Clarity Pro is located on your local server and is therefore protected by the firewalls and IT policies you have in place. In order to protect your customers’ data, all users of Clarity within your business should be made aware of the importance of data privacy and protection. Ideally, every user should have their own login and password – and change their password every month.

Data kept in Clarity Go is stored on Clarity Go’s servers, which are hosted in UK Fast’s secured building in Manchester. UK Fast are one of the UK’s leading hosting providers. Access to Clarity Go’s server is protected by a dedicated hardware firewall, which is maintained separately to our servers.

All customer connections to Clarity Go are encrypted using the latest SSL technology, ensuring that all data passed between you and the server cannot be read or interfered with by a third-party. This happens when you use the application in your browser, when data is passed back and forth in the sync to Clarity Pro in your office, and when using any other third-party integrations.

The sync with Clarity Pro sends and receives data by establishing an outbound connection from your server to Clarity Go’s servers. Clarity Go never creates a direct connection back to your server, meaning you do not need to expose your server to the internet.

All access to your data in Clarity Go is accessed via a secure login, which can be reset by you at any time. User passwords are hashed and individually salted, meaning even if the database is compromised, no-one can gain access to your password, including us. Administrative access to Clarity Go’s servers can only be made using secure encrypted connections, using passwords known only by a select handful of dedicated engineers working at Touch Systems’ offices, and which are routinely changed.

Regular backups of all data held within Clarity Go are taken for the purposes of disaster recovery. There is a 28-day retention policy for data used for the purposes of activating the sync, after which this data is removed. We reserve the right to access your data in Clarity Go for the purposes of diagnosing issues.